FILE SYSTEM SUPPORT FOR ROLLING KEYS ON FILE EXTENTS

US 20170359174A1
Filed: 09/23/2016
Published: 12/14/2017
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A method for re-encrypting file extents of files at a computing device, the method comprising:

by a processor of the computing device;

receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents;

identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated;

decrypting the at least one file extent using the first encryption key;

encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and

updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.

27 Citations

View as Search Results

20 Claims

1. A method for re-encrypting file extents of files at a computing device, the method comprising:
- by a processor of the computing device;
  
  receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents;
  
  identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated;
  
  decrypting the at least one file extent using the first encryption key;
  
  encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and
  
  updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein at least one other file extent of the plurality of file extents is encrypted using a third encryption key that is different from both the first encryption key and the second encryption key.
  - 3. The method of claim 1, further comprising, prior to decrypting the at least one file extent:
    - writing the at least one file extent to a new memory span that is different than a current memory span of the at least one file extent.
  - 4. The method of claim 3, further comprising:
    - updating the metadata to reference the new memory span.
  - 5. The method of claim 3, further comprising:
    - designating the current memory span as free space.
  - 6. The method of claim 1, wherein encrypting the at least one file extent comprises locking the at least one file extent from being accessed until the metadata is updated.
  - 7. The method of claim 1, further comprising:
    - permitting, while encrypting the at least one file extent using the second encryption key, an application of the computing device to access other file extents included in the plurality of file extents.

8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to re-encrypt file extents of files at the computing device, by carrying out steps that include:
- receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents;
  
  identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated;
  
  decrypting the at least one file extent using the first encryption key;
  
  encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and
  
  updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein at least one other file extent of the plurality of file extents is encrypted using a third encryption key that is different from both the first encryption key and the second encryption key.
  - 10. The non-transitory computer readable storage medium of claim 8, wherein encrypting the at least one file extent comprises locking the at least one file extent from being accessed until the metadata is updated.
  - 11. The non-transitory computer readable storage medium of claim 8, wherein the request is received in response to the computing device being connected to an external power supply.
  - 12. The non-transitory computer readable storage medium of claim 8, wherein the file is associated with a group of users, and the request is received in response to a user leaving the group.
  - 13. The non-transitory computer readable storage medium of claim 8, wherein the first encryption key and the second encryption key have different times of origination.

14. A computing device configured to re-encrypting file extents of files at a computing device, the computing device comprising a processor configured to cause the computing device to carry out steps that include:
- receiving a request to update an encryption scheme applied to a file, wherein the file is comprised of a plurality of file extents;
  
  identifying, based on metadata associated with the file, at least one file extent of the plurality of file extents that is encrypted using a first encryption key that is to be updated;
  
  decrypting the at least one file extent using the first encryption key;
  
  encrypting the at least one file extent using a second encryption key that is different than the first encryption key; and
  
  updating the metadata to indicate that the at least one file extent is encrypted with the second encryption key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computing device of claim 14, wherein at least one other file extent of the plurality of file extents is encrypted using a third encryption key that is different from both the first encryption key and the second encryption key.
  - 16. The computing device of claim 14, wherein the steps further include, prior to decrypting the at least one file extent:
    - writing the at least one file extent to a new memory span that is different than a current memory span of the at least one file extent.
  - 17. The computing device of claim 16, wherein the steps further include:
    - updating the metadata to reference the new memory span.
  - 18. The computing device of claim 16, wherein the steps further include:
    - designating the current memory span as free space.
  - 19. The computing device of claim 14, wherein encrypting the at least one file extent comprises locking the at least one file extent from being accessed until the metadata is updated.
  - 20. The computing device of claim 14, wherein the steps further include:
    - permitting, while encrypting the at least one file extent using the second encryption key, an application of the computing device to access other file extents included in the plurality of file extents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
TAMURA, Eric B., GIAMPAOLO, Dominic B., YANCEY, Kelly B.

Granted Patent

US 10,454,679 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/164   File meta data generation

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

H04L 9/0891   Revocation or update of sec...

H04L 9/16   the keys or algorithms bein...

FILE SYSTEM SUPPORT FOR ROLLING KEYS ON FILE EXTENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FILE SYSTEM SUPPORT FOR ROLLING KEYS ON FILE EXTENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links